The company also cleared up how the hacker was able to get around multi-factor authentication.
Uber has published additional information about how it was hacked, claiming that it was targeted by LAPSUS$, a cybercriminal gang with a hefty track record that is thought to be composed largely of teenagers.
Last week, someone broke into Uber’s network and used the access to cause all sorts of chaos. The culprit, who claims to be 18 years old, managed to spam company staff with vulgar Slack messages, post a picture of a penis on the company’s internal websites, and leak images of Uber’s internal environment to the web. Now, the ride-share giant has released a statement providing details on its ordeal.
In particular, the company has released more information about how it was hacked, largely confirming an account made by the hacker themself. Uber says that the hacker exploited the login credentials of a company contractor to initially gain access to the network. The hacker may have originally bought access to those credentials via the dark web, Uber says. The hacker then used them to make multiple login attempts to the contractor’s account. The login attempts prompted a slew of multi-factor authentication requests for the contractor, who ultimately authenticated one of them. The hacker has previously claimed that it conducted a social engineering scheme to convince the contractor to authenticate the login attempt.
Security experts have called this an “MFA fatigue” attack. This increasingly common intrusion tactic seeks to overwhelm a victim with authentication push requests until they validate the hacker’s illegitimate login attempt.
Most interestingly, Uber has also claimed that whoever was behind this hacking episode is affiliated with the cybercrime gang “LAPSUS$.” It’s not totally clear how Uber knows that. The company’s statement reads:
We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so…There are also reports over the weekend that this same actor breached video game maker Rockstar Games.
As you may have heard, Rockstar Games was, indeed, hacked this week, in a fairly disastrous episode that saw footage of its unreleased title Grand Theft Auto VI leaked online in a fairly unfinished state. The hacker behind that breach is claiming that they’re the same person behind the Uber hack. Gizmodo reached out to Rockstar Games to inquire whether it could attribute its own data breach to the LAPSUS$ gang. We will update this story if we hear back.
LAPSUS$ rose to prominence earlier this year when the gang claimed to have hacked a number of prominent tech companies, including Microsoft, Cisco, Samsung, Okta, Nvidia, and Ubisoft, among others. The alleged ringleader of the gang, a 16-year-old who went by the pseudonym “White,” was arrested in March but, due to his age, his identity has not been publicly revealed. The gang has continued to be active, however, as this recent episode appears to demonstrate.
In its update, Uber also reiterated that it had not seen any evidence to suggest that user data was compromised during the incident:
…we’ve not seen that the attacker accessed the production (i.e. public-facing) systems that power our apps; any user accounts; or the databases we use to store sensitive user information, like credit card numbers, user bank account info, or trip history. We also encrypt credit card information and personal health data, offering a further layer of protection.
Let’s hope they’re right about that.